FDA CFR Part 11 regulations and Indian Companies

It appears that, of late, the US FDA has been tightening the implementation of CFR part 11 regulations regarding maintenance of records in electronic form.

The tremors are being felt now in India since these regulations also affect Indian pharma companies whose drugs are in the US market. Non compliance may lead to FDA warning notices to the Pharma companies.

These regulations not only affect the Pharma companies, seeking FDA clearances for their drugs or equipments, but also the IT companies who provide services to such companies.

Hence  “CFR Part 11 compliance” has now become a point of focus even for the Indian IT industry who manufacture software and provide other cloud based services to the FDA regulations exposed entities in USA.

It appears that  there has been significant resistance from the US Pharma industry to the regulations to the extent that the regulator himself is apologetic about implementing the regulations in a “narrow” manner, very much unlike the aggressive stance taken by HIPAA regulators.

One of the objections is of course because the industry thinks that compliance will cost a bomb. However, this is only a bogey raised by the industry to escape the regulation.

I wish the Indian stakeholders donot get perturbed by the US tirade that this compliance is expensive and therefore prefer to defer it. I have  been working on HIPAA regulatory compliance for Indian Business Associates since more than a decade and assure that  this CFR part 11 compliance is neither expensive nor technically problematic.

With my earlier experience on HIPAA compliance and ITA 2008 compliance, I am already in the process of setting up a suitable framework for both Indian Pharma industries and  Indian software industries which should make the implementation uncomplicated.

In my considered opinion,  if a company implements a good ITA 2008 compliance program, it is not difficult to also be in compliance of CFR part 11.

However most companies at present are not compliant with ITA 2008 and some have only a name sake compliance of ITA 2008. Since the Indian regulatory authorities are not strong on implementation, companies are able to declare themselves to be ITA 2008 compliant though they are really far from being compliant.

Hence even those companies who declare themselves to be ITA 2008 compliant or ISO 27001 compliant or PCI DSS compliant may not pass the muster for CFR Part 11 compliance.

Directors of such companies therefore need to personally look into the requirements of CFR part 11 compliance without going by the assertion of their subordinates that they are compliant either to ITA 2008 or CFR part 11.

If therefore there is any organization in India which is exposed to CFR Part 11 regulations such as

  1. The Pharma Companies
  2. Software development company with a product offer to the Pharma companies
  3. Mobile App development company with a product offer to the Pharma companies
  4. Cloud service operators who provide hosting and data management services to pharma companies, etc.,

I suggest that they  immediately review their compliance program and take steps for compliance as may be required.

I would be happy to provide any further clarification to any company which wants further information on this new domain of compliance.


Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

2 Responses to FDA CFR Part 11 regulations and Indian Companies

  1. Omkar says:

    Which are the industries which will have need of this compliance ? Is there a way of tracking / following up with these companies ?

    • 98410spice says:

      Companies which produce software used in medical research or collection of medical research data in USA or engaged directly with the US hospitals and research organizations involved in testing of medical equipment or drugs are directly exposed to FDA CFR compliance. These companies are also exposed to HIPAA.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.